CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
Also known as: tabnabbing
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
Last updated
Overview
When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.
Real-world CVEs
12 recorded CVEs are caused by CWE-1022 (Use of Web Link to Untrusted Target with window.opener Access). The highest-severity and most recent are shown first. 0 new CWE-1022 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2024-39727
IBM Engineering Lifecycle Optimization - Engineering Insights tabnabbing
Critical · CVSS 9.8 · EPSS 26th2024-12-25 - CVE-2022-1583Medium · CVSS 6.5 · EPSS 66th2022-05-30
- CVE-2020-36624Medium · CVSS 6.3 · EPSS 44th2022-12-22
- CVE-2025-33014
IBM Sterling B2B Integrator and IBM Sterling File Gateway link injection
Medium · CVSS 6.1 · EPSS 10th2025-07-18 - CVE-2022-4927Medium · CVSS 6.1 · EPSS 39th2023-03-05
- CVE-2018-25058
Twitter-Post-Fetcher Link Target twitterFetcher.js reverse tabnabbing
Medium · CVSS 6.1 · EPSS 41th2022-12-29 - CVE-2021-33697Medium · CVSS 6.1 · EPSS 44th2021-09-15
- CVE-2022-2600Medium · CVSS 5.4 · EPSS 40th2022-08-22
- CVE-2018-25089Medium · CVSS 5.3 · EPSS 40th2023-08-28
- CVE-2021-39112Medium · CVSS 4.8 · EPSS 50th2021-08-25
- CVE-2025-42941
Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)
Low · CVSS 3.5 · EPSS 10th2025-08-12 - CVE-2025-59842
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Low · CVSS 2.1 · EPSS 11th2025-09-26
Common consequences
What can happen when CWE-1022 is exploited.
Alter Execution Logic
Affects: Confidentiality
The user may be redirected to an untrusted page that contains undesired content or malicious script code.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-1022, grouped by where in the lifecycle they apply.
Specify in the design that any linked external document must not be granted access to the location object of the calling page.
When creating a link to an external document using the tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer".
If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.
Do not use "_blank" targets. However, this can affect the usability of the application.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In this example, the application opens a link in a named window/tab without taking precautions to prevent the called page from tampering with the calling page's location in the browser.
Vulnerable example
<a href="http://attacker-site.example.com/useful-page.html" target="_blank">Attack input
window.opener.location = 'http://phishing.example.org/popular-bank-page';Safe example
<a href="http://attacker-site.example.com/useful-page.html" target="_blank" rel="noopener noreferrer">Vulnerable example
var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");Safe example
var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-4927 — Library software does not use rel: "noopener noreferrer" setting, allowing tabnabbing attacks to redirect to a malicious page
Terminology & mappings
Alternate terms
- tabnabbing
Frequently asked questions
Common questions about CWE-1022.
- What is CWE-1022?
- The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
- What CVEs are caused by CWE-1022?
- 12 recorded CVEs are attributed to CWE-1022, including CVE-2024-39727, CVE-2022-1583, CVE-2020-36624.
- How do you prevent CWE-1022?
- Specify in the design that any linked external document must not be granted access to the location object of the calling page.
- How is CWE-1022 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1022?
- Exploiting CWE-1022 can lead to: Alter Execution Logic.
- Is CWE-1022 actively exploited?
- 12 recorded CVEs are caused by CWE-1022; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1022) (opens in a new tab)
- CWE-1022 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1022
Get alerted the moment a new CWE-1022 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.